Look inside your crontab too: this could be a good way to temporary run and stop some backdoor process (by night for instance)

Analyze your logs

Once you identify the origin of your zombie software/script, if this is something intentionally placed inside the AMI since the beginning and not just put there by hacking your server: you can identify the AMI owner account and report this to AWS support.

Here is a way to find an AMI owner account

My last advices on AWS EC2:

Always Use AWS Official AMIs whenever you can

If for some reason you have to use a Community AMI

please deploy it in a Restricted SecurityGroup (for example ONLY Inbound SSH from your specific LAN/IP when deploying)

clean your root/.ssh/authorized_keys to keep only your official one

monitor process/crontab/installed software to clean your instance

allow Outbound traffic and another necessary inbound traffic ONLY for the needed Source (not from 0.0.0.0/0 if you don’t absolutely need to)